When moving out of the summer lull and into the autumn months, it can feel like a steady countdown to the festive period for many of us. However, there is nothing steady about this time of year for retailers and other businesses preparing for the invariable and often overwhelming demand that marks the holiday season. One more ingredient to add to this is the increasing importance of e-commerce and fulfillment, with 70% of British consumers preferring online shopping in 2021 and an expected 10.7% year-on-year growth from last year’s record-breaking numbers.
With so many transactions and, therefore, a torrent of financial data being exchanged online, putting the finishing touches on an adequate security posture and maximizing the availability of your network for customers is essential in the build-up to flashpoints like Black Friday and Cyber Monday. So what exactly are the risks associated with peak shopping times and, crucially, how can IT and security teams mitigate them?
Pairing Performance and Availability Security
Just as Father Christmas has to deliver presents to every household in one night, IT teams have the equally daunting task of ensuring systems can fulfill tens of thousands of requests at peak times. Unfortunately, these peaks can be the most challenging times to fulfill data requests, and they are also among the most vulnerable moments for attackers to exploit.
For those making use of a CDN, evaluating and optimizing the use of cached objects can help relieve pressure around critical site functions. Caching can so often act as your dual shield when it comes to availability, ensuring customers have the content when they need it, but also, it can drastically reduce the load on your infrastructure in the event of a DDoS attack. Moments like this, where performance and security benefits interact, are part and parcel of developing a more holistic security posture.
A Strong Line of Defence: Keeping out the Cyber Grinches
The truth is that even the most robust traffic management frameworks are not enough to prevent malicious threat actors from trying to exploit the thinly stretched security resources at busy times of the year. Therefore, one must prepare for a range of attack vectors to maintain network integrity. One method that has been growing in scale and sophistication in recent years is the DDoS attack. In the first three months of 2021, there were more DDoS attacks (over 50GB/s) than in the entirety of 2019. At such a busy time of year, the potential for attackers to operate for financial gain or even just malicious disruption of services is considerable. Repelling attempts of this type require, at the very least, adequately tuned rate controls that are defaulted to Deny.
Of no less importance is a comprehensive level of API protection; with so many vital transactions and requests happening via APIs, it is worth considering the same level of protection for them that is afforded to web traffic. The risk of a breach through an API is not to be underestimated, with research from Gartner suggesting that by 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications. The latest generation of API protection tools can protect the application layer from DDoS attacks and prevent traffic from malicious actors through intelligent automated inspections of activity.
Bot management software is a powerful weapon in your cybersecurity arsenal, providing functionality to detect and avert threats from even the most evasive bots. Unfortunately, as attackers become more sophisticated, so too do the bots they create to compromise networks. By combining bot management with a thorough review of your critical transactional endpoints, you’ll be well equipped to combat credential stuffing and account takeover attacks.
Preparing for the holiday mania is, in fact, an all-year-round process. However, evaluating and reflecting on these risks as you finalize a security infrastructure that can withstand retail’s golden period could well give you and your teams a silent night.
Richard Meeus Director of Security Technology and Strategy EMEA, Akamai